What changed
RBI issued comprehensive directions on managing risks in outsourcing for Small Finance Banks, covering both financial services and IT outsourcing. The directions mandate board-approved policies, enhanced risk management frameworks, and specific compliance timelines for existing IT agreements. New IT outsourcing agreements must comply from the effective date, while existing ones have until April 10, 2026.
What it means for you
Small Finance Banks must overhaul their outsourcing governance to meet stricter RBI norms, including board-level accountability and detailed risk evaluation. Existing IT contracts need review and alignment by April 2026, potentially requiring renegotiation. Non-compliance with these directions could invite regulatory action, so banks should prioritize updating policies and agreements.
What you must do
- Review and update board-approved outsourcing policy to align with the new directions.
- Audit all existing IT outsourcing agreements and plan compliance by April 10, 2026.
- Ensure new IT outsourcing contracts comply with the directions from the date of signing.
- Strengthen risk management frameworks for service provider evaluation and monitoring.
- Establish grievance redressal mechanisms for outsourced services as per Chapter III and IV.
Who it affects
Small Finance Banks, Board of Directors and Senior Management of SFBs, IT and Risk Management teams of SFBs, Service providers to SFBs (including group entities and offshore vendors)
What activities cannot be outsourced under these directions?
The directions list specific activities that shall not be outsourced, as detailed in Chapter III. Banks must refer to the full document for the exact list, which includes activities such as core financial services functions as defined by the RBI.